Re: Opaserv.-- Problems

Our experience with Opaserv is that it is somewhat tricky to eradicate. You are aware that it leaves a file or files (may be brasil.pif or another filename, in %windows% & elewhere) that infect win.ini at each boot and that those files must be removed from an MS-DOS boot? Also the main vector for us was Windows file shares, particularly those with poor or no password protection (make certain that MS00-072 patch is applied to every copy of Windows on your network) Also make sure that no one is dialing onto the internet when you assume you are disconnected. I don't have the resources to trap and identify intrusions, but it appeared as if the source of the infection made repetitive attempts to reinfect a host (IP address) that it already marked as vulnerable. Good hunting! Scott Miller
Mgr IS Support
Unimin Corporation

                                                                                                           
                                             To:       focus-virus@securityfocus.com                     
                                               cc:                                                         
                      11/22/2002 06:46         Subject:  Opaserv.-- Problems                               
                      AM                                                                                   
                                                                                                           
                                                                                                           

Hello all ,

I have a problem with the virus called WIn32.Opaserv.A (can be .A.B.C.D.E)

always a different match when looking for it with a virus scanner .

I have disconnected the 5 computers from the network and scanned them 1

by 1

. First with F-prot (4dos) , removing the infected files and restoring

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

some

from the windows 98 cd . After that i scanned them with Norton Antivirus

2003 , with latest vir definitions and patches . The computers seem to be

clean when scanning them one by one without an connection to the network

But two computers keep finding this virus when connected to the network .

I

double scanned all systems , no viruses . But when attached , it keeps

changing the win.ini file .

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

What i discovered on several computers was the distributed net client

(wich

we know from the RC5 and all those projects) . After googeling up the mail

address found in the dncnet.ini , it told me that it was a so called Hyder

Worm .

So i'm a bit confused here , what's going on . ANd how come this virus

pops-up after 2-3 hours when working on the network .

System is blocked with ZoneAlarm na protected by Norton Antivirus 2003 .

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

So

there is nobody coming in from the outside . I know that for sure . (even

with ADSL disconnected the virus pops-up)

Any ideas ... Received on Tue Nov 26 13:40:36 2002